drivers/reset/core.c | 1 - 1 file changed, 1 deletion(-)
When __auxiliary_device_add() fails, reset_add_gpio_aux_device()
calls auxiliary_device_uninit(adev).
The device release callback reset_gpio_aux_device_release() frees
adev, but the current error path then calls kfree(adev) again,
causing a double free.
Keep kfree(adev) for the auxiliary_device_init() failure path, but
avoid freeing adev after auxiliary_device_uninit().
Fixes: 5fc4e4cf7a22 ("reset: gpio: use software nodes to setup the GPIO lookup")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/reset/core.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/reset/core.c b/drivers/reset/core.c
index 0135dd0ae204..58ecde760b6e 100644
--- a/drivers/reset/core.c
+++ b/drivers/reset/core.c
@@ -856,7 +856,6 @@ static int reset_add_gpio_aux_device(struct device *parent,
ret = __auxiliary_device_add(adev, "reset");
if (ret) {
auxiliary_device_uninit(adev);
- kfree(adev);
return ret;
}
--
2.43.0On Sat, 21 Mar 2026 08:42:40 +0100, Guangshuo Li
<lgs201920130244@gmail.com> said:
> When __auxiliary_device_add() fails, reset_add_gpio_aux_device()
> calls auxiliary_device_uninit(adev).
>
> The device release callback reset_gpio_aux_device_release() frees
> adev, but the current error path then calls kfree(adev) again,
> causing a double free.
>
> Keep kfree(adev) for the auxiliary_device_init() failure path, but
> avoid freeing adev after auxiliary_device_uninit().
>
> Fixes: 5fc4e4cf7a22 ("reset: gpio: use software nodes to setup the GPIO lookup")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
> drivers/reset/core.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/reset/core.c b/drivers/reset/core.c
> index 0135dd0ae204..58ecde760b6e 100644
> --- a/drivers/reset/core.c
> +++ b/drivers/reset/core.c
> @@ -856,7 +856,6 @@ static int reset_add_gpio_aux_device(struct device *parent,
> ret = __auxiliary_device_add(adev, "reset");
> if (ret) {
> auxiliary_device_uninit(adev);
> - kfree(adev);
> return ret;
> }
>
> --
> 2.43.0
>
>
With recent changes in reset core this all went away but yeah, looks right
and should be backported.
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
On Mo, 2026-03-23 at 03:05 -0700, Bartosz Golaszewski wrote:
> On Sat, 21 Mar 2026 08:42:40 +0100, Guangshuo Li
> <lgs201920130244@gmail.com> said:
> > When __auxiliary_device_add() fails, reset_add_gpio_aux_device()
> > calls auxiliary_device_uninit(adev).
> >
> > The device release callback reset_gpio_aux_device_release() frees
> > adev, but the current error path then calls kfree(adev) again,
> > causing a double free.
> >
> > Keep kfree(adev) for the auxiliary_device_init() failure path, but
> > avoid freeing adev after auxiliary_device_uninit().
> >
> > Fixes: 5fc4e4cf7a22 ("reset: gpio: use software nodes to setup the GPIO lookup")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> > ---
> > drivers/reset/core.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/drivers/reset/core.c b/drivers/reset/core.c
> > index 0135dd0ae204..58ecde760b6e 100644
> > --- a/drivers/reset/core.c
> > +++ b/drivers/reset/core.c
> > @@ -856,7 +856,6 @@ static int reset_add_gpio_aux_device(struct device *parent,
> > ret = __auxiliary_device_add(adev, "reset");
> > if (ret) {
> > auxiliary_device_uninit(adev);
> > - kfree(adev);
> > return ret;
> > }
> >
> > --
> > 2.43.0
> >
> >
>
> With recent changes in reset core this all went away but yeah, looks right
> and should be backported.
>
> Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Applied to reset/fixes, thanks!
[1/1] reset: gpio: fix double free in reset_add_gpio_aux_device() error path
https://git.pengutronix.de/cgit/pza/linux/commit/?id=fbffb8c7c7bb
regards
Philipp
© 2016 - 2026 Red Hat, Inc.